Data Processing Addendum

Last Updated: September 4, 2024

Background

This Thinkific Data Processing Addendum (“Addendum”) forms part of the Self-Serve Terms of Service, the Plus Terms of Service or any other written or electronic agreement for the provision of Services which include the processing of personal data (otherwise referred to in privacy laws as personal information) (the “Agreement”) between you and Thinkific Labs Inc. (“Thinkific”), a British Columbia company with offices at 369 Terminal Ave, Vancouver, British Columbia, V6A 4C4, Canada, to the extent the Agreement involves the processing of personal data (as defined below).

The purpose of this Addendum is to set out our obligations in relation to any processing of personal data carried out as part of the Agreement. Only to the extent that there is any conflict or inconsistency between this Addendum and the Agreement, the terms of this Addendum will take precedence.

1. Definitions

1.1. In this Addendum the following words and expressions have the following meanings unless the context otherwise requires:

“Agreement Personal Data” means any personal data which is processed under the Agreement, including this Addendum, as more particularly described in Annex 1;

“Data Protection Laws” means all laws applicable to any personal data processed under or in connection with the Agreement, including to the extent applicable: (a) the Privacy and Electronic Communications Regulations 2003; (b) the General Data Protection Regulation 2016/679 (“GDPR”); (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing any of the foregoing; (d) the California Privacy Rights Act (CPRA) and other US state law; and (e) all associated codes of practice, regulations and other binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time;

“Personal Data Security Incident” means: 

1. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Agreement Personal Data transmitted, stored or otherwise processed; 

1. a discovery or reasonable suspicion that there is a vulnerability in any technological measure used to protect any Agreement Personal Data that has previously been subject to a breach within the scope of paragraph ‎(a), which may result in exploitation or exposure of that Agreement Personal Data; or

1. any defect or vulnerability with the potential to impact the ongoing resilience, security and/or integrity of systems processing Agreement Personal Data; 

“Restricted Transfer” means a transfer of Agreement Personal Data which is undergoing processing or which is intended to be processed after transfer, to a country or territory to which such transfer is prohibited or subject to any requirement to take additional steps to adequately protect the Agreement personal data for the transfer to be lawful under the Data Protection Laws;

“Services” means any services to be provided by or on behalf of Thinkific under the Agreement;

“Standard Contractual Clauses” means the EU standard contractual clauses established for the transfer of Personal Data to third countries pursuant to a European Commission Implementing Decision (2021/914/EU) of 4 June 2021 under Regulation (EU) 2016/679 and incorporated into this Agreement by reference and as amended, updated or replaced from time to time; 

“Sub-Processor” means any person (including any Thinkific group company or other third party) appointed, engaged, or permitted by Thinkific to process Agreement Personal Data; and

“UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner pursuant to section 199A(1) of the UK Data Protection Act 2018 and incorporated into this Agreement by reference and as amended, updated or replaced from time to time;

1.2. When used in this Addendum, the following terms will have the same meaning as in the Data Protection Laws: (a) personal data; (b) personal information; (c) controller; (d) businesses; (e) processor; (f) service providers; (g) processing; (h) special categories of personal data; (i) data subjects; (j) consumer; and (k) supervisory authority.

2. Compliance with the Data Protection Laws

The parties will comply with (and will ensure that their personnel and subcontractors comply) with the Data Protection Laws. In particular, Thinkific will comply with all applicable obligations under the CPRA and it shall provide the same level of privacy protection to any Agreement Personal Data as provided under the CPRA.

3. Relationship and Roles of the Parties

3.1. In relation to the processing of Agreement Personal Data, the parties acknowledge and agree that (a) you are the controller (or business) and (b) Thinkific is the processor (or service provider).

3.2. Thinkific agrees that it will process the Agreement Personal Data in accordance with the terms of the Agreement including this Addendum.

4. Responsible Individuals and Enquiries

Each party will notify the other of the individual within its organisation authorised to respond from time to time to enquiries regarding Agreement Personal Data and the processing which is the subject of the Agreement. Each party will deal promptly and reasonably with all such enquiries.

5. Processing of personal data by Thinkific

5.1. Thinkific will:

5.1.1. process the Agreement Personal Data only on your documented instructions, unless otherwise required by law. Accordingly:

5.1.1.1 Thinkific will not sell any Agreement Personal Data received or obtained in connection with performing the Services under the Agreement or share such Agreement Personal Data for cross-context behavioural advertising;

5.1.1.2 Thinkific acknowledges and agrees that any Agreement Personal Data disclosed to it in connection with the Agreement is disclosed only for the limited purpose of providing the Services under the Agreement; 

5.1.1.3 Where Thinkific is required by law to process the Agreement Personal Data, it will notify you before carrying out the processing concerned (unless the law also prohibits Thinkific from doing so);

5.1.1.4 Thinkific shall not retain, use, or disclose Agreement Personal Data received or obtained in connection with performing the Services under the Agreement for any purpose other than for the specific purpose of providing Services under the Agreement or outside of its direct business relationship with you; and

5.1.1.5 Thinkific shall not combine any Agreement Personal Data received or obtained in connection with performing the Services under the Agreement with Personal Data which it may otherwise receive, obtain, or collect.

5.1.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Agreement Personal Data transmitted, stored or otherwise processed under the Agreement;

5.1.3. take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);

5.1.4. only engage any additional or replacement Sub-Processors in the performance of the Services in accordance with Section 6;

5.1.5. not do, or omit to do, anything, which would cause you to be in breach of its obligations under the Data Protection Laws; 

5.1.6. promptly notify you if, in Thinkific’s opinion, any instruction given to Thinkific infringes the Data Protection Laws and shall notify you if it determines that it can no longer comply with applicable obligations under the CPRA with respect to Agreement Personal Data received or obtained in connection with performing the Services under the Agreement. Upon receiving such notice or other notice of any non-compliance with the CPRA, you may take reasonable steps to stop and remediate any unauthorized use of Agreement Personal Data received or obtained in connection with performing the Services under the Agreement;

5.1.8. promptly notify you after becoming aware of any Personal Data Security Incident.

5.2. Thinkific may make a Restricted Transfer if it demonstrates or implements an appropriate safeguard for that Restricted Transfer in accordance with Data Protection Laws. 

5.3. The Standard Contractual Clauses shall be incorporated by reference and form an integral part of this Agreement as follows:

5.3.1. you shall be the data exporter and Thinkific shall be the data importer to the extent relevant under the applicable law; 

5.3.2. Thinkific shall be deemed to have entered into the Standard Contractual Clauses in the Thinkific’s own name and on behalf of any affiliates who also act as processor in relation to the Agreement Personal Data;

5.3.3. the provisions and information set out in Annex 2 which are referenced in this Agreement shall be used to identify the relevant module and to complete the Annexures and clauses 7, 11, 17, 18 of the Standard Contractual Clauses;

5.3.4. where and to the extent only that the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail over any other inconsistent or conflicting agreement between the Parties; and

5.3.5. the authorised sub-processors are as set out in section 6 and the data exporter shall give at least 15 days’ notice to a change. 

5.4. When the Services are provided to UK, transfers of UK Agreement Personal Data shall be conducted through the additional use of the UK Addendum which converts the Standard Contractual Clauses (incorporated in accordance with clause 5.3) to apply to the UK international transfer of that Personal Data to the extent any Agreement Personal Data is subject to Data Protection Act 2018 in doing so the full UK Addendum will also be incorporated by reference and form an integral part of the Agreement and shall apply to the Processing as follows:

5.4.1. as set out in Annex 1;

5.4.2. the provisions and information set out in Annex 4 of this Agreement shall be used to complete the Annexures of the UK Addendum; and

5.4.3. in relation to transfers of UK Agreement Personal Data to third countries, particularly in the event of any inconsistency or conflict between the Parties, then the terms of the Standard Contractual Clauses as amended by the UK Addendum shall apply to those transfers. 

5.5. In the event that the Standard Contractual Clauses and/or UK Addendum are superseded or held to be invalid by a court having competent jurisdiction, or that any Supervisory Authority requires transfers of personal data made pursuant to the Standard Contractual Clauses and/or UK Addendum to be suspended, then the parties will co-operate to facilitate use of an alternative transfer mechanism that is legally compliant with applicable Data Protection Laws.

5.6. The qualifications at clause 5.2 will not apply if Thinkific or one of our relevant Sub-Processors is required to make a Restricted Transfer to comply with domestic law to which we are subject, in which case we will notify you of such legal requirement prior to such Restricted Transfer (unless such law prohibits Thinkific from doing so on public interest grounds).

5.7. Where applicable in respect of any Agreement Personal Data, Thinkific will provide reasonable cooperation with you and assist you in ensuring compliance with:

5.7.1. your obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Data Protection Laws, including by notifying you of any written subject access requests Thinkific receives relating to your obligations under the Data Protection Laws; and

5.7.2. your obligations to, as applicable: (a) ensure the security of the processing; (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data; (c) carry out any data protection impact assessments of the impact of the processing on the protection of personal data; and (d) consult the relevant supervisory authority prior to any processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by you to mitigate the risk.

5.8. You hereby instruct Thinkific to process Agreement Personal Data to provide the Services in accordance with the Agreement (including this Addendum). You may provide additional instructions to Thinkific to process personal data in writing, however Thinkific will be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum.

6. Sub-processors

6.1. You hereby agree and provide a general prior authorization that Thinkific and its affiliates may engage Sub-Processors.

6.2. Thinkific will ensure that any Sub-Processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written agreement that specifies the Sub-Processor’s processing activities and imposes on the Sub-Processor and contains no less protective terms than this Addendum. Thinkific will be liable for any act or omission of the Sub-Processor to the same extent as if the act or omission were performed by Thinkific.

6.3. A list of Thinkific’s Sub-Processors is available at https://www.thinkific.com/thinkificsubprocessors/. By entering into this Agreement, you agree to Thinkific’s use of these Sub-Processors. Prior to engaging any additional or replacement Sub-Processor, Thinkific will inform you of any intended changes and, subject to Section 6.4, give you an opportunity to object.

6.4. This Section 6.4 will apply only where and to the extent that you are established within the European Economic Area, the United Kingdom or Switzerland or where otherwise required by Data Protection Laws, including California and other US state law as applicable. In such event, if you object on reasonable grounds relating to data protection to Thinkific’s use of a new Sub-Processor you will promptly, and within 15 days following Thinkific’s notification pursuant to Section 6.3, provide written notice of such objection to Thinkific. Should Thinkific choose to retain the objected-to Sub-Processor, Thinkific will notify you at least 15 days before authorizing the Sub-Processor to process personal data and you may terminate the relevant portion(s) of the Services within 30 days. Upon any termination by you pursuant to this Section 6.4 Thinkific will refund to you any prepaid fees for the terminated portion(s) of the Service that were to be provided after the effective date of termination.

7. Your obligations

You are responsible for independently determining whether the data security provided for in any subscription service offered by Thinkific adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of any such subscription service, including protecting the security of personal data in transit to and from the subscription service (including to securely backup or encrypt any such personal data).

8. Monitoring of Thinkific’s Performance

You are, at your expense, entitled to monitor and audit Thinkific’s compliance with the Data Protection Laws and its obligations in relation to data processing under the Agreement at any time during normal business hours not more than once per year. Thinkific agrees to promptly provide you with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If you believe that an on-site audit is necessary, Thinkific agrees to give you reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has onsite. You are entitled to have the audit carried out by a reputable third party qualified to carry out such an audit.

9. Completion of Services

Upon completion of the Services, Thinkific will return or delete all Agreement Personal Data in accordance with the applicable provisions of the Agreement, except to the extent that Thinkific is required by law to retain any copies of the Agreement Personal Data.

10. Remedies

Your remedies with respect to any breach by Thinkific of the terms of this Addendum and the overall aggregate liability of Thinkific arising out of, or in connection with the Agreement (including this Addendum) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of Thinkific and its affiliates arising out of, or in connection with the Agreement (including this Addendum) will in no event exceed the Liability Cap.

ANNEX 1

DESCRIPTION OF TRANSFER

1. Categories of Data Subjects whose personal data is transferred.

You, your customers, students or subscribers or other individuals with whom you deal in the course of your business.

1. Categories of personal data transferred.

Identity, Contact, Profile, Financial, Transactional, Usage, Marketing and Communications.

1. Sensitive data transferred (if applicable) 

Not applicable.

1. Frequency of transfer

[One-off][Continuous]

1. Nature of processing

Under the Agreement, Thinkific may provide you with Services in relation to any one or more of: (a) online course platform software and affiliated products; (b) online course management and administration; and (c) support and maintenance. The subject matter and nature of processing is related to any personal data you provide in order to enable or facilitate the provision of the Services by Thinkific under the Agreement.

1. Purpose of the data transfer and further processing

To enable Thinkific to perform the relevant Services under the Agreement.

1. Duration of processing

Throughout the period within which Thinkific performs the relevant Services under the Agreement. 

ANNEX 2

1. INFORMATION AND ANNEXURES TO STANDARD CONTRACTUAL CLAUSES

Table 1 – Module selection and Optional Clause inclusion 

For Controller to Processor transfers:

ANNEX 3

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. 

A description of Thinkific’s security measures are described in our security overview, this overview is updated from time to time but shall provide at a minimum the same level of protection as set forth prior.

1. ANNEX 4
2. UK ADDENDUM APPENDIX

UK Addendum Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☐The version of the Approved EU SCCs which the UK Addendum is appended to, detailed below, including the Appendix Information:  

Date: 

Reference (if any):

Other identifier (if any):

Or  

☒The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this UK Addendum: 

UK Addendum Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the appendix of the approved Standard Contractual Clauses (other than the Parties), and which for the UK Addendum is set out in:

Annex 1A UK Addendum: List of Parties: the information contained in Annex 2 is to be read as included here

Annex 1B UK Addendum: Description of Transfer: the information contained in Annex 2, is to be read as included here.

Annex II UK Addendum: Technical and organisational measures including technical and organisational measures to ensure the security of the data: the information contained in Annex 3 is to be read as included here.

Annex III UK Addendum: List of Sub processors: the information contained in Annex 2, is to be read as included here.